[VUNERABILITY] Accessing PHP source from remote user

Could this be made into an on/off setting in the admin settings in the next release?
 
Sorry, but open_basedir is not the solution to everything, PHP has enough security holes in it's implementation that any half-determined person can get around it.

The solution to this is for sites to operate in a chroot environment. There are other control panels that do this, and do it well. It's basically the only thing missing from DA that keeps our operation based around another CP instead of switching to DA for our shared hosting servers.
 
Joe, I don't see this option in DA's Admin control panel. I just updated to the latest also, and it still isn't there. Where is it hiding in there?
 
No wonder. Looked like Joe was discussing the open_basedir option, I must have gotten lost reading this thread.

Can someone confirm that open_basedir fix this probem? Also, the script or edit-the-file method earlier in this post will enable open_basedir accurately?
 
zaphod said:
Sorry, but open_basedir is not the solution to everything, PHP has enough security holes in it's implementation that any half-determined person can get around it.

The solution to this is for sites to operate in a chroot environment. There are other control panels that do this, and do it well. It's basically the only thing missing from DA that keeps our operation based around another CP instead of switching to DA for our shared hosting servers.
Click to expand...

noone said it was, just the solution to this particular problem in this thread,

If you want chroot so bad mod_security has an easy way of enabling it.
 
What I meant is that is isn't a complete solution for *this* problem. It's far better than nothing, but it's also able to be gotten past.
 
tony1234 said:
Can someone confirm that open_basedir fix this probem? Also, the script or edit-the-file method earlier in this post will enable open_basedir accurately?
Click to expand...
I thought I had already confirmed it, but if you like i'll confirm it again:

I did enable the open_basedir option using the method gxx described. It works accurately.
Before enabling open_basedir I was able to read files in another users folder with the method described by frosty. After enabling open_basedir I got an error message if I ran the same script. So it works.

Maybe there are still other security holes like zaphod mentioned, but at least the readfile function problem that frosty found is solved if you enable open_basedir.
 
Last edited:
I figured that I would give this open_basedir setting a try..

I uncommented it in each of the virtual_host*.conf files:

#php_admin_value open_basedir |HOME|/:/tmp/:/var/www/:/usr/local/lib/php/:/etc/virtual/

..but my phpinfo() is still showing open_basedir of 'none' for some reason.

Before uncommenting the line in the /usr/local/directadmin/data/templates/virtual_host*.conf files I copied them all to the custom directory and only had those uncommented, same results.

I'm using FreeBSD 5.4 with DA 1.26.2

Am I missing something? Seemed pretty straight forward from the discussion.
 
Spook,
Did you issue the command to DirectAdmin to rewrite all of the httpd.conf files with the new template?

And did you restart DirectAdmin after it finished?
 
You must log in or register to reply here.
Back
Top